[whatwg] Sandboxing ideas

Alexey Feldgendler alexey at feldgendler.ru
Tue May 15 14:46:19 PDT 2007


On Tue, 15 May 2007 23:37:37 +0200, Jon Barnett <jonbarnett at gmail.com>  
wrote:

>> The OP probably meant that maintaining so many contexts would cause a
>> comparable deterioration in performance.  All user comments should be  
>> put in one security context.
>> With all comments grouped together in such a manner, you could even use  
>> an inline frame.

> I really think comments are a bad use case.  Why would someone allow  
> scripts in comments in any context, much less a sandboxed one?

Sure, comments are probably an unrealistic example. But embedding  
widget-like scripts in blog entries is, I think, realistic.

> The best use case I have thought of so far is MySpace et. al., a site  
> where users have their own page with limited permission in the context
> of the overall site.  MySpace solves this by not allowing scripts at
> all, as most such web sites do.  If possible, such sites might allow a
> user to insert widget scripts with limited permissions.  For this use
> case, iframe isn't ideal, either, but limited scripting and styling
> are desired.

There are contexts in which blog entries by multiple users are displayed  
in one page (aggregation contexts like LiveJournal friends pages).  
Technically this is equivalent to the example with comments: units of  
content authored by different users needs to be protected from each other.


-- 
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com



More information about the whatwg mailing list